Not allowing to connect Sentinel Data connector with Defender XDR

Karan Bhatt 27 Reputation points
2024-05-08T12:07:43.2433333+00:00

Hello,

I was trying to connect the "Microsoft Defender XDR" connector with "Microsoft Sentinel", but I am facing the below error. I am not sure why Sentinel is not allowing to establish the XDR connector. As I am the Owner of the Azure Subscription which is reside in the same Tenant where I am the Global Administrator.

As per my research, I found that the App ID belongs to the Microsoft Owned Enterprise Application and when this application is trying to authenticate with the SIEM connector it gets restricted which can be verify under Non-interactive sign-in logs of the GA user.

Can anyone support me to resolve this error.

Error:
"The portal is having issues getting an authentication token. The experience rendered may be degraded. Additional information from the call to get a token: Extension: Microsoft_Azure_Security_Insights Resource: securitycentermicrosoftthreatprotection Details: interaction_required: AADSTS50131: Device is not in required device state: known. Or, the request was blocked due to suspicious activity, access policy, or security policy decisions. Trace ID: d504c379-5e36-4e75-b856-7fe436ba4c00 Correlation ID: 69c34683-6857-45c1-b856-13d352c53ac9 Timestamp: 2024-05-07 11:58:00Z"

error 1

error 2

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,039 questions
Microsoft Defender for Identity
Microsoft Defender for Identity
A Microsoft service that helps protect enterprise hybrid environments from multiple types of advanced, targeted cyberattacks and insider threats.
174 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. akinbade abiola 6,735 Reputation points
    2024-05-08T13:12:50.61+00:00

    Hello Karan, thanks for contacting question and answer.

    The AADSTS50131 error you're encountering when connecting Microsoft 365 Defender to Sentinel is often caused by classic conditional access policies set up through Intune integration. To resolve this, try initiating the connection from an Azure AD registered device, as this may bypass the issue. See: https://video2.skills-academy.com/en-gb/mem/intune/protect/advanced-threat-protection-configure#:%7E:text=When%20you%20integrate,deleted%2C%20or%20disabled.

  2. James Hamil 22,891 Reputation points Microsoft Employee
    2024-05-16T19:38:30.0233333+00:00

    Hi @Karan Bhatt , this could be due to a number of reasons, such as an issue with the device state or a security policy decision.

    To resolve this issue, you can try the following steps:

    1. Check the device state: The error message indicates that the device is not in the required device state. You can check the device state by going to the Azure Active Directory portal and selecting the device. Make sure that the device is in a known state and that there are no issues with the device.
    2. Check the access policy: The error message also indicates that the request may have been blocked due to access policy or security policy decisions. You can check the access policy and security policy settings in the Azure portal to make sure that they are not blocking the request.
    3. Check the authentication settings: Make sure that the authentication settings for the Microsoft Defender XDR connector are configured correctly in Microsoft Sentinel. You can check the authentication settings by going to the Microsoft Defender XDR connector page in Microsoft Sentinel and verifying that the correct credentials are entered.
    4. Check the permissions: Make sure that you have the correct permissions to connect the Microsoft Defender XDR connector to Microsoft Sentinel. You need to have the Contributor or Owner role on the Azure subscription to connect the connector.

    If none of the above work please let me know and I can help you further.

    If this answer helps you please mark "Accept Answer" so other users can reference it.

    Thank you,

    James

    0 comments